void benchmark_cipher(int debug_level)
{
int size = 16;
gnutls_global_set_log_function(tls_log_func);
gnutls_global_set_log_level(debug_level);
gnutls_rnd(GNUTLS_RND_NONCE, data, sizeof(data));
printf("Checking cipher-MAC combinations, payload size: %u\n", size * 1024);
cipher_mac_bench(GNUTLS_CIPHER_SALSA20_256, GNUTLS_MAC_SHA1, size);
cipher_mac_bench(GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA1, size);
cipher_mac_bench(GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA256,
size);
cipher_bench(GNUTLS_CIPHER_AES_128_GCM, size, 1);
printf("\nChecking MAC algorithms, payload size: %u\n", size * 1024);
mac_bench(GNUTLS_MAC_SHA1, size);
mac_bench(GNUTLS_MAC_SHA256, size);
mac_bench(GNUTLS_MAC_SHA512, size);
printf("\nChecking ciphers, payload size: %u\n", size * 1024);
cipher_bench(GNUTLS_CIPHER_3DES_CBC, size, 0);
cipher_bench(GNUTLS_CIPHER_AES_128_CBC, size, 0);
cipher_bench(GNUTLS_CIPHER_ARCFOUR, size, 0);
cipher_bench(GNUTLS_CIPHER_SALSA20_256, size, 0);
gnutls_global_deinit();
}
QT_BEGIN_NAMESPACE_CERTIFICATE
/*!
\class RandomGenerator
\brief The RandomGenerator class is a tool for creating hard random numbers.
The RandomGenerator class provides a source of secure random numbers using
the gnutls rnd API. The numbers are suitable for uses such as certificate
serial numbers.
*/
/*!
Generates a set of random bytes of the specified size. In order to allow
these to be conveniently used as serial numbers, this method ensures that
the value returned is positive (ie. that the first bit is 0). This means
that you get one less bit of entropy than requested, but avoids
interoperability issues.
Note that this method will either return the number of bytes requested,
or a null QByteArray. It will never return a smaller number.
*/
QByteArray RandomGenerator::getPositiveBytes(int size)
{
QByteArray result(size, 0);
int errno = gnutls_rnd(GNUTLS_RND_RANDOM, result.data(), size);
if (GNUTLS_E_SUCCESS != errno)
return QByteArray();
// Clear the top bit to ensure the number is positive
char *data = result.data();
*data = *data & 0x07f;
return result;
}
static void
_generate_request (gnutls_datum_t * rdata, gnutls_x509_crt_t cert,
gnutls_x509_crt_t issuer)
{
gnutls_ocsp_req_t req;
int ret;
unsigned char noncebuf[23];
gnutls_datum_t nonce = { noncebuf, sizeof (noncebuf) };
ret = gnutls_ocsp_req_init (&req);
if (ret < 0)
exit (1);
ret = gnutls_ocsp_req_add_cert (req, GNUTLS_DIG_SHA1, issuer, cert);
if (ret < 0)
exit (1);
ret = gnutls_rnd (GNUTLS_RND_RANDOM, nonce.data, nonce.size);
if (ret < 0)
exit (1);
ret = gnutls_ocsp_req_set_nonce (req, 0, &nonce);
if (ret < 0)
exit (1);
ret = gnutls_ocsp_req_export (req, rdata);
if (ret != 0)
exit (1);
gnutls_ocsp_req_deinit (req);
return;
}
static int generate_cookie(sec_mod_st * sec, client_entry_st * entry)
{
int ret;
Cookie msg = COOKIE__INIT;
msg.username = entry->auth_info.username;
msg.groupname = entry->auth_info.groupname;
msg.hostname = entry->hostname;
msg.ip = entry->auth_info.remote_ip;
msg.tls_auth_ok = entry->tls_auth_ok;
/* Fixme: possibly we should allow for completely random seeds */
if (sec->config->predictable_ips != 0) {
msg.ipv4_seed = hash_any(entry->auth_info.username, strlen(entry->auth_info.username), 0);
} else {
ret = gnutls_rnd(GNUTLS_RND_NONCE, &msg.ipv4_seed, sizeof(msg.ipv4_seed));
if (ret < 0)
return -1;
}
msg.sid.data = entry->sid;
msg.sid.len = sizeof(entry->sid);
/* this is the time when this cookie must be activated (used to authenticate).
* if not activated by that time it expires */
msg.expiration = time(0) + sec->config->cookie_timeout;
ret =
encrypt_cookie(entry, &sec->dcookie_key, &msg, &entry->cookie,
&entry->cookie_size);
if (ret < 0)
return -1;
return 0;
}
void Call(char* buffer, size_t len)
{
#ifdef GNUTLS_HAS_RND
gnutls_rnd(GNUTLS_RND_RANDOM, buffer, len);
#else
gcry_randomize(buffer, len, GCRY_STRONG_RANDOM);
#endif
}
gboolean
crypto_randomize (void *buffer, gsize buffer_len, GError **error)
{
if (!crypto_init (error))
return FALSE;
gnutls_rnd (GNUTLS_RND_RANDOM, buffer, buffer_len);
return TRUE;
}
QByteArray Plugin::_generatePassword(unsigned int size)
{
QByteArray data(size, 0);
int error;
ASSERT(gnutls_rnd(GNUTLS_RND_RANDOM, data.data(), size));
for (unsigned int i = 0; i < size; ++i)
data[i] = ((unsigned char)data[i] % 93 + 32);
return (data);
}
int
rb_get_random(void *buf, size_t length)
{
#if GNUTLS_VERSION_MAJOR < 3
gcry_randomize(buf, length, GCRY_STRONG_RANDOM);
#else
gnutls_rnd(GNUTLS_RND_KEY, buf, length);
#endif
return 1;
}
void Curl_gtls_random(struct SessionHandle *data,
unsigned char *entropy,
size_t length)
{
#if defined(USE_GNUTLS_NETTLE)
(void)data;
gnutls_rnd(GNUTLS_RND_RANDOM, entropy, length);
#elif defined(USE_GNUTLS)
Curl_gtls_seed(data); /* Initiate the seed if not already done */
gcry_randomize(entropy, length, GCRY_STRONG_RANDOM);
#endif
}
static void ask_server(const char *url)
{
gnutls_datum_t resp_data;
int ret, v = 0;
gnutls_x509_crt_t cert, issuer;
unsigned char noncebuf[23];
gnutls_datum_t nonce = { noncebuf, sizeof(noncebuf) };
gnutls_datum_t *n;
cert = load_cert();
issuer = load_issuer();
if (ENABLED_OPT(NONCE)) {
ret =
gnutls_rnd(GNUTLS_RND_NONCE, nonce.data, nonce.size);
if (ret < 0) {
fprintf(stderr, "gnutls_rnd: %s\n",
gnutls_strerror(ret));
exit(1);
}
n = &nonce;
} else {
n = NULL;
}
ret =
send_ocsp_request(url, cert, issuer, &resp_data, n);
if (ret < 0) {
fprintf(stderr, "Cannot send OCSP request\n");
exit(1);
}
_response_info(&resp_data);
if (HAVE_OPT(LOAD_TRUST)) {
v = _verify_response(&resp_data, n, NULL);
} else if (HAVE_OPT(LOAD_SIGNER)) {
v = _verify_response(&resp_data, n, load_signer());
} else {
fprintf(stderr,
"\nAssuming response's signer = issuer (use --load-signer to override).\n");
v = _verify_response(&resp_data, n, issuer);
}
if (HAVE_OPT(OUTFILE) && (v == 0 || HAVE_OPT(IGNORE_ERRORS))) {
fwrite(resp_data.data, 1, resp_data.size, outfile);
}
if (v && !HAVE_OPT(IGNORE_ERRORS))
exit(1);
}
static char *
_srp_crypt (const char *username, const char *passwd, int salt_size,
const gnutls_datum_t * g, const gnutls_datum_t * n)
{
unsigned char salt[128];
static char result[1024];
gnutls_datum_t dat_salt, txt_salt;
gnutls_datum_t verifier, txt_verifier;
if ((unsigned) salt_size > sizeof (salt))
return NULL;
/* generate the salt
*/
if (gnutls_rnd (GNUTLS_RND_NONCE, salt, salt_size) < 0)
{
fprintf (stderr, "Could not create nonce\n");
return NULL;
}
dat_salt.data = salt;
dat_salt.size = salt_size;
if (gnutls_srp_verifier (username, passwd, &dat_salt, g, n, &verifier) < 0)
{
fprintf (stderr, "Error getting verifier\n");
return NULL;
}
/* base64 encode the verifier */
if (gnutls_srp_base64_encode_alloc (&verifier, &txt_verifier) < 0)
{
fprintf (stderr, "Error encoding\n");
free (verifier.data);
return NULL;
}
free (verifier.data);
if (gnutls_srp_base64_encode_alloc (&dat_salt, &txt_salt) < 0)
{
fprintf (stderr, "Error encoding\n");
return NULL;
}
sprintf (result, "%s:%s", txt_verifier.data, txt_salt.data);
free (txt_salt.data);
free (txt_verifier.data);
return result;
}
void Random::generate(char *buffer, size_t size) const
{
gnutls_rnd_level_t level;
switch(mLevel)
{
case Nonce: level = GNUTLS_RND_NONCE; break;
case Crypto: level = GNUTLS_RND_RANDOM; break;
case Key: level = GNUTLS_RND_KEY; break;
}
int ret = gnutls_rnd(level, buffer, size);
if(ret < 0) throw Exception(String("Random generator error: ") + gnutls_strerror(ret));
}
client_entry_st *new_client_entry(sec_mod_st *sec, const char *ip)
{
struct htable *db = sec->client_db;
client_entry_st *e, *te;
int ret;
int retries = 3;
e = talloc_zero(db, client_entry_st);
if (e == NULL) {
return NULL;
}
strlcpy(e->auth_info.remote_ip, ip, sizeof(e->auth_info.remote_ip));
do {
ret = gnutls_rnd(GNUTLS_RND_RANDOM, e->sid, sizeof(e->sid));
if (ret < 0) {
seclog(sec, LOG_ERR, "error generating SID");
goto fail;
}
/* check if in use */
te = find_client_entry(sec, e->sid);
} while(te != NULL && retries-- >= 0);
if (te != NULL) {
seclog(sec, LOG_ERR,
"could not generate a unique SID!");
goto fail;
}
base64_encode((char *)e->sid, SID_SIZE, (char *)e->auth_info.psid, sizeof(e->auth_info.psid));
e->time = time(0);
if (htable_add(db, rehash(e, NULL), e) == 0) {
seclog(sec, LOG_ERR,
"could not add client entry to hash table");
goto fail;
}
return e;
fail:
talloc_free(e);
return NULL;
}
void doit(void)
{
#ifndef _WIN32
int res;
unsigned i;
int serial = 0;
char buf[128];
res = read(3, buf, 16);
if (res == 16)
serial = 1;
/* close all descriptors */
for (i=3;i<1024;i++)
close(i);
res = gnutls_global_init();
if (res != 0)
fail("global_init\n");
if (serial != 0) {
res = read(3, buf, 16);
if (res != 16) {
fail("could not open fd, or OS doesn't assign fds in a serial way (%d)\n", res);
}
}
res = gnutls_global_init();
if (res != 0)
fail("global_init2\n");
gnutls_rnd_refresh();
res = gnutls_rnd(GNUTLS_RND_RANDOM, buf, sizeof(buf));
if (res != 0)
fail("gnutls_rnd\n");
gnutls_global_deinit();
if (debug)
success("init-close success\n");
#else
return;
#endif
}
/*
* Sends heartbeat data.
*/
static int
heartbeat_send_data(gnutls_session_t session, const void *data,
size_t data_size, uint8_t type)
{
int ret, pos;
uint8_t *response;
response = gnutls_malloc(1 + 2 + data_size + DEFAULT_PAYLOAD_SIZE);
if (response == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
pos = 0;
response[pos++] = type;
_gnutls_write_uint16(data_size, &response[pos]);
pos += 2;
memcpy(&response[pos], data, data_size);
pos += data_size;
ret =
gnutls_rnd(GNUTLS_RND_NONCE, &response[pos],
DEFAULT_PAYLOAD_SIZE);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
pos += DEFAULT_PAYLOAD_SIZE;
ret =
_gnutls_send_int(session, GNUTLS_HEARTBEAT, -1,
EPOCH_WRITE_CURRENT, response, pos,
MBUFFER_FLUSH);
cleanup:
gnutls_free(response);
return ret;
}
/**
* gnutls_session_ticket_key_generate:
* @key: is a pointer to a #gnutls_datum_t which will contain a newly
* created key.
*
* Generate a random key to encrypt security parameters within
* SessionTicket.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, or an
* error code.
*
* Since: 2.10.0
**/
int gnutls_session_ticket_key_generate(gnutls_datum_t * key)
{
if (_gnutls_fips_mode_enabled()) {
int ret;
/* in FIPS140-2 mode gnutls_key_generate imposes
* some limits on allowed key size, thus it is not
* used. These limits do not affect this function as
* it does not generate a "key" but rather key material
* that includes nonces and other stuff. */
key->data = gnutls_malloc(TICKET_MASTER_KEY_SIZE);
if (key->data == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
key->size = TICKET_MASTER_KEY_SIZE;
ret = gnutls_rnd(GNUTLS_RND_RANDOM, key->data, key->size);
if (ret < 0) {
gnutls_free(key->data);
return ret;
}
return 0;
} else {
return gnutls_key_generate(key, TICKET_MASTER_KEY_SIZE);
}
}
static int randomize_uuid(TSS_UUID * uuid)
{
uint8_t raw_uuid[16];
int ret;
ret = gnutls_rnd(GNUTLS_RND_NONCE, raw_uuid, sizeof(raw_uuid));
if (ret < 0)
return gnutls_assert_val(ret);
/* mark it as random uuid */
raw_uuid[6] &= 0x0f;
raw_uuid[6] |= 0x40;
raw_uuid[8] &= 0x0f;
raw_uuid[8] |= 0x80;
memcpy(&uuid->ulTimeLow, raw_uuid, 4);
memcpy(&uuid->usTimeMid, &raw_uuid[4], 2);
memcpy(&uuid->usTimeHigh, &raw_uuid[6], 2);
uuid->bClockSeqHigh = raw_uuid[8];
uuid->bClockSeqLow = raw_uuid[9];
memcpy(&uuid->rgbNode, &raw_uuid[10], 6);
return 0;
}
static void mac_bench(int algo, int size)
{
void *_key;
int blocksize = gnutls_hmac_get_len(algo);
int step = size * 1024;
struct benchmark_st st;
void *input;
unsigned char c, *i;
ALLOCM(input, MAX_MEM);
i = input;
_key = malloc(blocksize);
if (_key == NULL)
return;
memset(_key, 0xf0, blocksize);
printf("%16s ", gnutls_mac_get_name(algo));
fflush(stdout);
assert(gnutls_rnd(GNUTLS_RND_NONCE, &c, 1) >= 0);
start_benchmark(&st);
do {
gnutls_hmac_fast(algo, _key, blocksize, i, step, _key);
st.size += step;
INC(input, i, step);
}
while (benchmark_must_finish == 0);
stop_benchmark(&st, NULL, 1);
FREE(input);
free(_key);
}
void doit(void)
{
int ret;
unsigned int mode;
gnutls_cipher_hd_t ch;
gnutls_hmac_hd_t mh;
gnutls_session_t session;
gnutls_pubkey_t pubkey;
gnutls_x509_privkey_t xprivkey;
gnutls_privkey_t privkey;
gnutls_datum_t key = { key16, sizeof(key16) };
gnutls_datum_t iv = { iv16, sizeof(iv16) };
fprintf(stderr,
"Please note that if in FIPS140 mode, you need to assure the library's integrity prior to running this test\n");
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
mode = gnutls_fips140_mode_enabled();
if (mode == 0) {
success("We are not in FIPS140 mode\n");
exit(77);
}
ret = global_init();
if (ret < 0) {
fail("Cannot initialize library\n");
}
/* Try crypto.h functionality */
ret =
gnutls_cipher_init(&ch, GNUTLS_CIPHER_AES_128_CBC, &key, &iv);
if (ret < 0) {
fail("gnutls_cipher_init failed\n");
}
gnutls_cipher_deinit(ch);
ret = gnutls_hmac_init(&mh, GNUTLS_MAC_SHA1, key.data, key.size);
if (ret < 0) {
fail("gnutls_hmac_init failed\n");
}
gnutls_hmac_deinit(mh, NULL);
ret = gnutls_rnd(GNUTLS_RND_NONCE, key16, sizeof(key16));
if (ret < 0) {
fail("gnutls_rnd failed\n");
}
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0) {
fail("gnutls_pubkey_init failed\n");
}
gnutls_pubkey_deinit(pubkey);
ret = gnutls_privkey_init(&privkey);
if (ret < 0) {
fail("gnutls_privkey_init failed\n");
}
gnutls_privkey_deinit(privkey);
ret = gnutls_x509_privkey_init(&xprivkey);
if (ret < 0) {
fail("gnutls_privkey_init failed\n");
}
gnutls_x509_privkey_deinit(xprivkey);
ret = gnutls_init(&session, 0);
if (ret < 0) {
fail("gnutls_init failed\n");
}
gnutls_deinit(session);
/* Test when FIPS140 is set to error state */
_gnutls_lib_simulate_error();
/* Try crypto.h functionality */
ret =
gnutls_cipher_init(&ch, GNUTLS_CIPHER_AES_128_CBC, &key, &iv);
if (ret >= 0) {
fail("gnutls_cipher_init succeeded when in FIPS140 error state\n");
}
ret = gnutls_hmac_init(&mh, GNUTLS_MAC_SHA1, key.data, key.size);
if (ret >= 0) {
fail("gnutls_hmac_init succeeded when in FIPS140 error state\n");
}
ret = gnutls_rnd(GNUTLS_RND_NONCE, key16, sizeof(key16));
if (ret >= 0) {
fail("gnutls_rnd succeeded when in FIPS140 error state\n");
}
ret = gnutls_pubkey_init(&pubkey);
if (ret >= 0) {
fail("gnutls_pubkey_init succeeded when in FIPS140 error state\n");
}
ret = gnutls_privkey_init(&privkey);
if (ret >= 0) {
fail("gnutls_privkey_init succeeded when in FIPS140 error state\n");
}
ret = gnutls_x509_privkey_init(&xprivkey);
if (ret >= 0) {
fail("gnutls_x509_privkey_init succeeded when in FIPS140 error state\n");
}
ret = gnutls_init(&session, 0);
if (ret >= 0) {
fail("gnutls_init succeeded when in FIPS140 error state\n");
}
gnutls_global_deinit();
return;
}
/**
* gnutls_pkcs12_generate_mac2:
* @pkcs12: A pkcs12 type
* @mac: the MAC algorithm to use
* @pass: The password for the MAC
*
* This function will generate a MAC for the PKCS12 structure.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int gnutls_pkcs12_generate_mac2(gnutls_pkcs12_t pkcs12, gnutls_mac_algorithm_t mac, const char *pass)
{
uint8_t salt[8], key[MAX_HASH_SIZE];
int result;
const int iter = 10*1024;
mac_hd_st td1;
gnutls_datum_t tmp = { NULL, 0 };
unsigned mac_size, key_len;
uint8_t mac_out[MAX_HASH_SIZE];
const mac_entry_st *me = mac_to_entry(mac);
if (pkcs12 == NULL || me == NULL)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
if (me->oid == NULL)
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
mac_size = _gnutls_mac_get_algo_len(me);
key_len = mac_size;
/* Generate the salt.
*/
result = gnutls_rnd(GNUTLS_RND_NONCE, salt, sizeof(salt));
if (result < 0) {
gnutls_assert();
return result;
}
/* Write the salt into the structure.
*/
result =
asn1_write_value(pkcs12->pkcs12, "macData.macSalt", salt,
sizeof(salt));
if (result != ASN1_SUCCESS) {
gnutls_assert();
result = _gnutls_asn2err(result);
goto cleanup;
}
/* write the iterations
*/
if (iter > 1) {
result =
_gnutls_x509_write_uint32(pkcs12->pkcs12,
"macData.iterations", iter);
if (result < 0) {
gnutls_assert();
goto cleanup;
}
}
/* Generate the key.
*/
#if ENABLE_GOST
if (me->id == GNUTLS_MAC_GOSTR_94 ||
me->id == GNUTLS_MAC_STREEBOG_256 ||
me->id == GNUTLS_MAC_STREEBOG_512) {
key_len = 32;
result = _gnutls_pkcs12_gost_string_to_key(me->id,
salt,
sizeof(salt),
iter,
pass,
mac_size,
key);
} else
#endif
result = _gnutls_pkcs12_string_to_key(me, 3 /*MAC*/,
salt, sizeof(salt),
iter, pass,
mac_size, key);
if (result < 0) {
gnutls_assert();
goto cleanup;
}
/* Get the data to be MACed
*/
result = _decode_pkcs12_auth_safe(pkcs12->pkcs12, NULL, &tmp);
if (result < 0) {
gnutls_assert();
goto cleanup;
}
/* MAC the data
*/
result = _gnutls_mac_init(&td1, me,
key, key_len);
if (result < 0) {
gnutls_assert();
goto cleanup;
}
_gnutls_mac(&td1, tmp.data, tmp.size);
_gnutls_free_datum(&tmp);
_gnutls_mac_deinit(&td1, mac_out);
result =
asn1_write_value(pkcs12->pkcs12, "macData.mac.digest", mac_out,
mac_size);
if (result != ASN1_SUCCESS) {
gnutls_assert();
result = _gnutls_asn2err(result);
goto cleanup;
}
result =
asn1_write_value(pkcs12->pkcs12,
"macData.mac.digestAlgorithm.parameters",
NULL, 0);
if (result != ASN1_SUCCESS && result != ASN1_ELEMENT_NOT_FOUND) {
gnutls_assert();
result = _gnutls_asn2err(result);
goto cleanup;
}
result =
asn1_write_value(pkcs12->pkcs12,
"macData.mac.digestAlgorithm.algorithm",
me->oid, 1);
if (result != ASN1_SUCCESS) {
gnutls_assert();
result = _gnutls_asn2err(result);
goto cleanup;
}
return 0;
cleanup:
_gnutls_free_datum(&tmp);
return result;
}
int
main (int argc, char **argv)
{
gaainfo info;
int ret;
#ifndef _WIN32
struct passwd *pwd;
#endif
unsigned char key[MAX_KEY_SIZE];
char hex_key[MAX_KEY_SIZE * 2 + 1];
gnutls_datum_t dkey;
size_t hex_key_size = sizeof (hex_key);
set_program_name (argv[0]);
if ((ret = gnutls_global_init ()) < 0)
{
fprintf (stderr, "global_init: %s\n", gnutls_strerror (ret));
exit (1);
}
umask (066);
if (gaa (argc, argv, &info) != -1)
{
fprintf (stderr, "Error in the arguments.\n");
return -1;
}
if (info.passwd == NULL)
info.passwd = (char *) KPASSWD;
if (info.username == NULL)
{
#ifndef _WIN32
pwd = getpwuid (getuid ());
if (pwd == NULL)
{
fprintf (stderr, "No such user\n");
return -1;
}
info.username = pwd->pw_name;
#else
fprintf (stderr, "Please specify a user\n");
return -1;
#endif
}
if (info.key_size > MAX_KEY_SIZE)
{
fprintf (stderr, "Key size is too long\n");
exit (1);
}
if (info.key_size < 1)
info.key_size = 16;
printf ("Generating a random key for user '%s'\n", info.username);
ret = gnutls_rnd (GNUTLS_RND_RANDOM, (char *) key, info.key_size);
if (ret < 0)
{
fprintf (stderr, "Not enough randomness\n");
exit (1);
}
dkey.data = key;
dkey.size = info.key_size;
ret = gnutls_hex_encode (&dkey, hex_key, &hex_key_size);
if (ret < 0)
{
fprintf (stderr, "HEX encoding error\n");
exit (1);
}
ret = write_key (info.username, hex_key, hex_key_size, info.passwd);
if (ret == 0)
printf ("Key stored to %s\n", info.passwd);
return ret;
}
/**
* gnutls_pkcs11_privkey_generate3:
* @url: a token URL
* @pk: the public key algorithm
* @bits: the security bits
* @label: a label
* @cid: The CKA_ID to use for the new object
* @fmt: the format of output params. PEM or DER
* @pubkey: will hold the public key (may be %NULL)
* @key_usage: One of GNUTLS_KEY_*
* @flags: zero or an OR'ed sequence of %GNUTLS_PKCS11_OBJ_FLAGs
*
* This function will generate a private key in the specified
* by the @url token. The private key will be generate within
* the token and will not be exportable. This function will
* store the DER-encoded public key in the SubjectPublicKeyInfo format
* in @pubkey. The @pubkey should be deinitialized using gnutls_free().
*
* Note that when generating an elliptic curve key, the curve
* can be substituted in the place of the bits parameter using the
* GNUTLS_CURVE_TO_BITS() macro.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.4.0
**/
int
gnutls_pkcs11_privkey_generate3(const char *url, gnutls_pk_algorithm_t pk,
unsigned int bits, const char *label,
const gnutls_datum_t *cid,
gnutls_x509_crt_fmt_t fmt,
gnutls_datum_t * pubkey,
unsigned int key_usage,
unsigned int flags)
{
int ret;
const ck_bool_t tval = 1;
const ck_bool_t fval = 0;
struct pkcs11_session_info sinfo;
struct p11_kit_uri *info = NULL;
ck_rv_t rv;
struct ck_attribute a[22], p[22];
ck_object_handle_t pub_ctx, priv_ctx;
unsigned long _bits = bits;
int a_val, p_val;
struct ck_mechanism mech;
gnutls_pubkey_t pkey = NULL;
gnutls_pkcs11_obj_t obj = NULL;
gnutls_datum_t der = {NULL, 0};
ck_key_type_t key_type;
uint8_t id[20];
struct dsa_params dsa_params;
PKCS11_CHECK_INIT;
FIX_KEY_USAGE(pk, key_usage);
memset(&sinfo, 0, sizeof(sinfo));
ret = pkcs11_url_to_info(url, &info, 0);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret =
pkcs11_open_session(&sinfo, NULL, info,
SESSION_WRITE |
pkcs11_obj_flags_to_int(flags));
p11_kit_uri_free(info);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
/* a holds the public key template
* and p the private key */
a_val = p_val = 0;
mech.parameter = NULL;
mech.parameter_len = 0;
mech.mechanism = pk_to_genmech(pk, &key_type);
if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY)) {
a[a_val].type = CKA_TOKEN;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
a[a_val].type = CKA_PRIVATE;
a[a_val].value = (void *) &fval;
a[a_val].value_len = sizeof(fval);
a_val++;
}
a[a_val].type = CKA_ID;
if (cid == NULL || cid->size == 0) {
ret = gnutls_rnd(GNUTLS_RND_NONCE, id, sizeof(id));
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
a[a_val].value = (void *) id;
a[a_val].value_len = sizeof(id);
} else {
a[a_val].value = (void *) cid->data;
a[a_val].value_len = cid->size;
}
p[p_val].type = CKA_ID;
p[p_val].value = a[a_val].value;
p[p_val].value_len = a[a_val].value_len;
a_val++;
p_val++;
switch (pk) {
case GNUTLS_PK_RSA:
p[p_val].type = CKA_DECRYPT;
if (key_usage & (GNUTLS_KEY_DECIPHER_ONLY|GNUTLS_KEY_ENCIPHER_ONLY)) {
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
} else {
p[p_val].value = (void *) &fval;
p[p_val].value_len = sizeof(fval);
}
p_val++;
p[p_val].type = CKA_SIGN;
if (key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE) {
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
} else {
p[p_val].value = (void *) &fval;
p[p_val].value_len = sizeof(fval);
}
p_val++;
a[a_val].type = CKA_ENCRYPT;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
a[a_val].type = CKA_VERIFY;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
a[a_val].type = CKA_MODULUS_BITS;
a[a_val].value = &_bits;
a[a_val].value_len = sizeof(_bits);
a_val++;
a[a_val].type = CKA_PUBLIC_EXPONENT;
a[a_val].value = (char*)def_rsa_pub_exp;
a[a_val].value_len = sizeof(def_rsa_pub_exp);
a_val++;
break;
case GNUTLS_PK_DSA:
p[p_val].type = CKA_SIGN;
if (key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE) {
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
} else {
p[p_val].value = (void *) &fval;
p[p_val].value_len = sizeof(fval);
}
p_val++;
a[a_val].type = CKA_VERIFY;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
ret = _dsa_params_generate(sinfo.module, sinfo.pks, _bits,
&dsa_params, a, &a_val);
if (ret < 0) {
goto cleanup;
}
break;
case GNUTLS_PK_EC:
p[p_val].type = CKA_SIGN;
if (key_usage & GNUTLS_KEY_DIGITAL_SIGNATURE) {
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
} else {
p[p_val].value = (void *) &fval;
p[p_val].value_len = sizeof(fval);
}
p_val++;
a[a_val].type = CKA_VERIFY;
a[a_val].value = (void *) &tval;
a[a_val].value_len = sizeof(tval);
a_val++;
if (GNUTLS_BITS_ARE_CURVE(bits)) {
bits = GNUTLS_BITS_TO_CURVE(bits);
} else {
bits = _gnutls_ecc_bits_to_curve(bits);
}
ret = _gnutls_x509_write_ecc_params(bits, &der);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
a[a_val].type = CKA_EC_PARAMS;
a[a_val].value = der.data;
a[a_val].value_len = der.size;
a_val++;
break;
default:
ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
goto cleanup;
}
/*
* on request, add the CKA_WRAP/CKA_UNWRAP key attribute
*/
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_KEY_WRAP) {
p[p_val].type = CKA_UNWRAP;
p[p_val].value = (void*)&tval;
p[p_val].value_len = sizeof(tval);
p_val++;
a[a_val].type = CKA_WRAP;
a[a_val].value = (void*)&tval;
a[a_val].value_len = sizeof(tval);
a_val++;
}
/* a private key is set always as private unless
* requested otherwise
*/
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE) {
p[p_val].type = CKA_PRIVATE;
p[p_val].value = (void *) &fval;
p[p_val].value_len = sizeof(fval);
p_val++;
} else {
p[p_val].type = CKA_PRIVATE;
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
p_val++;
}
p[p_val].type = CKA_TOKEN;
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
p_val++;
if (label) {
p[p_val].type = CKA_LABEL;
p[p_val].value = (void *) label;
p[p_val].value_len = strlen(label);
p_val++;
a[a_val].type = CKA_LABEL;
a[a_val].value = (void *) label;
a[a_val].value_len = strlen(label);
a_val++;
}
if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_SENSITIVE) {
p[p_val].type = CKA_SENSITIVE;
p[p_val].value = (void *) &tval;
p[p_val].value_len = sizeof(tval);
p_val++;
} else {
p[p_val].type = CKA_SENSITIVE;
p[p_val].value = (void *) &fval;
p[p_val].value_len = sizeof(fval);
p_val++;
}
rv = pkcs11_generate_key_pair(sinfo.module, sinfo.pks, &mech, a,
a_val, p, p_val, &pub_ctx, &priv_ctx);
if (rv != CKR_OK) {
gnutls_assert();
_gnutls_debug_log("p11: %s\n", pkcs11_strerror(rv));
ret = pkcs11_rv_to_err(rv);
goto cleanup;
}
/* extract the public key */
if (pubkey) {
ret = gnutls_pubkey_init(&pkey);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pkcs11_obj_init(&obj);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
obj->pk_algorithm = pk;
obj->type = GNUTLS_PKCS11_OBJ_PUBKEY;
ret =
pkcs11_read_pubkey(sinfo.module, sinfo.pks, pub_ctx,
key_type, obj);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pubkey_import_pkcs11(pkey, obj, 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_pubkey_export2(pkey, fmt, pubkey);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
}
cleanup:
if (obj != NULL)
gnutls_pkcs11_obj_deinit(obj);
if (pkey != NULL)
gnutls_pubkey_deinit(pkey);
if (sinfo.pks != 0)
pkcs11_close_session(&sinfo);
gnutls_free(der.data);
return ret;
}
static void test_ciphersuite(const char *cipher_prio, int size)
{
/* Server stuff. */
gnutls_anon_server_credentials_t s_anoncred;
gnutls_certificate_credentials_t c_certcred, s_certcred;
gnutls_session_t server;
int sret, cret;
const char *str;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
/* Need to enable anonymous KX specifically. */
int ret;
struct benchmark_st st;
gnutls_packet_t packet;
const char *name;
/* Init server */
gnutls_anon_allocate_server_credentials(&s_anoncred);
gnutls_certificate_allocate_credentials(&s_certcred);
gnutls_certificate_set_x509_key_mem(s_certcred, &server_cert,
&server_key,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem(s_certcred, &server_ecc_cert,
&server_ecc_key,
GNUTLS_X509_FMT_PEM);
gnutls_init(&server, GNUTLS_SERVER);
ret = gnutls_priority_set_direct(server, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, s_certcred);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, (gnutls_transport_ptr_t) server);
reset_buffers();
/* Init client */
gnutls_anon_allocate_client_credentials(&c_anoncred);
gnutls_certificate_allocate_credentials(&c_certcred);
gnutls_init(&client, GNUTLS_CLIENT);
ret = gnutls_priority_set_direct(client, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, c_certcred);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, (gnutls_transport_ptr_t) client);
HANDSHAKE(client, server);
name = gnutls_cipher_get_name(gnutls_cipher_get(server));
fprintf(stdout, "%30s - %s ", name, gnutls_protocol_get_name(
gnutls_protocol_get_version(server)));
fflush(stdout);
ret = gnutls_rnd(GNUTLS_RND_NONCE, buffer, sizeof(buffer));
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
start_benchmark(&st);
do {
do {
ret = gnutls_record_send(client, buffer, size);
}
while (ret == GNUTLS_E_AGAIN);
if (ret < 0) {
fprintf(stderr, "Failed sending to server\n");
exit(1);
}
do {
ret =
gnutls_record_recv_packet(server, &packet);
}
while (ret == GNUTLS_E_AGAIN);
if (ret < 0) {
fprintf(stderr, "Failed receiving from client: %s\n", gnutls_strerror(ret));
exit(1);
}
st.size += size;
gnutls_packet_deinit(packet);
}
while (benchmark_must_finish == 0);
stop_benchmark(&st, NULL, 1);
gnutls_bye(client, GNUTLS_SHUT_WR);
gnutls_bye(server, GNUTLS_SHUT_WR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_anon_free_client_credentials(c_anoncred);
gnutls_anon_free_server_credentials(s_anoncred);
}
static void test_ciphersuite(const char *cipher_prio, int size)
{
/* Server stuff. */
gnutls_anon_server_credentials_t s_anoncred;
const gnutls_datum_t p3 = { (char *) pkcs3, strlen(pkcs3) };
static gnutls_dh_params_t dh_params;
gnutls_session_t server;
int sret, cret;
const char *str;
/* Client stuff. */
gnutls_anon_client_credentials_t c_anoncred;
gnutls_session_t client;
/* Need to enable anonymous KX specifically. */
int ret;
struct benchmark_st st;
/* Init server */
gnutls_anon_allocate_server_credentials(&s_anoncred);
gnutls_dh_params_init(&dh_params);
gnutls_dh_params_import_pkcs3(dh_params, &p3, GNUTLS_X509_FMT_PEM);
gnutls_anon_set_server_dh_params(s_anoncred, dh_params);
gnutls_init(&server, GNUTLS_SERVER);
ret = gnutls_priority_set_direct(server, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
gnutls_credentials_set(server, GNUTLS_CRD_ANON, s_anoncred);
gnutls_dh_set_prime_bits(server, 1024);
gnutls_transport_set_push_function(server, server_push);
gnutls_transport_set_pull_function(server, server_pull);
gnutls_transport_set_ptr(server, (gnutls_transport_ptr_t) server);
reset_buffers();
/* Init client */
gnutls_anon_allocate_client_credentials(&c_anoncred);
gnutls_init(&client, GNUTLS_CLIENT);
ret = gnutls_priority_set_direct(client, cipher_prio, &str);
if (ret < 0) {
fprintf(stderr, "Error in %s\n", str);
exit(1);
}
gnutls_credentials_set(client, GNUTLS_CRD_ANON, c_anoncred);
gnutls_transport_set_push_function(client, client_push);
gnutls_transport_set_pull_function(client, client_pull);
gnutls_transport_set_ptr(client, (gnutls_transport_ptr_t) client);
HANDSHAKE(client, server);
fprintf(stdout, "Testing %s with %d packet size: ",
gnutls_cipher_suite_get_name(gnutls_kx_get(server),
gnutls_cipher_get(server),
gnutls_mac_get(server)), size);
fflush(stdout);
gnutls_rnd(GNUTLS_RND_NONCE, buffer, sizeof(buffer));
start_benchmark(&st);
do {
do {
ret = gnutls_record_send(client, buffer, size);
}
while (ret == GNUTLS_E_AGAIN);
if (ret < 0) {
fprintf(stderr, "Failed sending to server\n");
exit(1);
}
do {
ret = gnutls_record_recv(server, buffer, sizeof(buffer));
}
while (ret == GNUTLS_E_AGAIN);
if (ret < 0) {
fprintf(stderr, "Failed receiving from client\n");
exit(1);
}
st.size += size;
}
while (benchmark_must_finish == 0);
stop_benchmark(&st, NULL);
gnutls_bye(client, GNUTLS_SHUT_WR);
gnutls_bye(server, GNUTLS_SHUT_WR);
gnutls_deinit(client);
gnutls_deinit(server);
gnutls_anon_free_client_credentials(c_anoncred);
gnutls_anon_free_server_credentials(s_anoncred);
gnutls_dh_params_deinit(dh_params);
}
static void cipher_bench(int algo, int size, int aead)
{
int ret;
gnutls_cipher_hd_t ctx;
void *_key, *_iv;
gnutls_aead_cipher_hd_t actx;
gnutls_datum_t key, iv;
int ivsize = gnutls_cipher_get_iv_size(algo);
int keysize = gnutls_cipher_get_key_size(algo);
int step = size * 1024;
void *input, *output;
struct benchmark_st st;
unsigned char c, *i;
_key = malloc(keysize);
if (_key == NULL)
return;
memset(_key, 0xf0, keysize);
_iv = malloc(ivsize);
if (_iv == NULL) {
free(_key);
return;
}
memset(_iv, 0xf0, ivsize);
iv.data = _iv;
iv.size = ivsize;
key.data = _key;
key.size = keysize;
printf("%24s ", gnutls_cipher_get_name(algo));
fflush(stdout);
assert(gnutls_rnd(GNUTLS_RND_NONCE, &c, 1) >= 0);
ALLOCM(input, MAX_MEM);
ALLOCM(output, step+64);
i = input;
start_benchmark(&st);
if (algo == GNUTLS_CIPHER_NULL) {
do {
force_memcpy(output, i, step);
st.size += step;
INC(input, i, step);
}
while (benchmark_must_finish == 0);
} else if (aead != 0) {
unsigned tag_size = gnutls_cipher_get_tag_size(algo);
size_t out_size;
ret = gnutls_aead_cipher_init(&actx, algo, &key);
if (ret < 0) {
fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
goto leave;
}
do {
out_size = step+64;
assert(gnutls_aead_cipher_encrypt(actx, iv.data, iv.size, NULL, 0, tag_size,
i, step, output, &out_size) >= 0);
st.size += step;
INC(input, i, step);
}
while (benchmark_must_finish == 0);
gnutls_aead_cipher_deinit(actx);
} else {
ret = gnutls_cipher_init(&ctx, algo, &key, &iv);
if (ret < 0) {
fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
goto leave;
}
do {
gnutls_cipher_encrypt2(ctx, i, step, output, step + 64);
st.size += step;
INC(input, i, step);
}
while (benchmark_must_finish == 0);
gnutls_cipher_deinit(ctx);
}
stop_benchmark(&st, NULL, 1);
FREE(input);
FREE(output);
leave:
free(_key);
free(_iv);
}
/*
* Helper function converts a data blob to a gnutls_datum_t.
* Note that this does not copy the data.
* So the returned value should be treated as read only.
* And that changes to the length of the underlying DATA_BLOB
* will not be reflected in the returned object.
*
*/
static const gnutls_datum_t convert_from_data_blob(DATA_BLOB blob) {
const gnutls_datum_t datum = {
.size = blob.length,
.data = blob.data,
};
return datum;
}
/*
* @brief Get the gnutls algorithm needed to decrypt the EncryptedSecret
*
* @param ldb ldb context, to allow logging.
* @param es the encrypted secret
*
* @return The gnutls algoritm number, or 0 if there is no match.
*
*/
static int gnutls_get_algorithm(struct ldb_context *ldb,
struct EncryptedSecret *es) {
switch (es->header.algorithm) {
case ENC_SECRET_AES_128_AEAD:
return GNUTLS_CIPHER_AES_128_GCM;
default:
ldb_asprintf_errstring(ldb,
"Unsupported encryption algorithm %d\n",
es->header.algorithm);
return 0;
}
}
/*
*
* @param err Pointer to an error code, set to:
* LDB_SUCESS If the value was successfully encrypted
* LDB_ERR_OPERATIONS_ERROR If there was an error.
*
* @param ctx Talloc memory context the will own the memory allocated
* @param ldb ldb context, to allow logging.
* @param val The ldb value to encrypt, not altered or freed
* @param data The context data for this module.
*
* @return The encrypted ldb_val, or data_blob_null if there was an error.
*/
static struct ldb_val gnutls_encrypt_aead(int *err,
TALLOC_CTX *ctx,
struct ldb_context *ldb,
const struct ldb_val val,
const struct es_data *data)
{
struct EncryptedSecret *es = NULL;
struct ldb_val enc = data_blob_null;
DATA_BLOB pt = data_blob_null;
gnutls_aead_cipher_hd_t cipher_hnd;
int rc;
TALLOC_CTX *frame = talloc_stackframe();
es = makeEncryptedSecret(ldb, frame);
if (es == NULL) {
goto error_exit;
}
pt = makePlainText(frame, ldb, val);
if (pt.length == 0) {
goto error_exit;
}
/*
* Set the encryption key and initialize the encryption handle.
*/
{
const size_t key_size = gnutls_cipher_get_key_size(
data->encryption_algorithm);
gnutls_datum_t cipher_key;
DATA_BLOB key_blob = get_key(data);
if (key_blob.length != key_size) {
ldb_asprintf_errstring(ldb,
"Invalid EncryptedSecrets key "
"size, expected %zu bytes and "
"it is %zu bytes\n",
key_size,
key_blob.length);
goto error_exit;
}
cipher_key = convert_from_data_blob(key_blob);
rc = gnutls_aead_cipher_init(&cipher_hnd,
data->encryption_algorithm,
&cipher_key);
if (rc !=0) {
ldb_asprintf_errstring(ldb,
"gnutls_aead_cipher_init failed "
"%s - %s\n",
gnutls_strerror_name(rc),
gnutls_strerror(rc));
goto error_exit;
}
}
/*
* Set the initialisation vector
*/
{
unsigned iv_size = gnutls_cipher_get_iv_size(
data->encryption_algorithm);
uint8_t *iv;
iv = talloc_zero_size(frame, iv_size);
if (iv == NULL) {
ldb_set_errstring(ldb,
"Out of memory allocating IV\n");
goto error_exit_handle;
}
rc = gnutls_rnd(GNUTLS_RND_NONCE, iv, iv_size);
if (rc !=0) {
ldb_asprintf_errstring(ldb,
"gnutls_rnd failed %s - %s\n",
gnutls_strerror_name(rc),
gnutls_strerror(rc));
goto error_exit_handle;
}
es->iv.length = iv_size;
es->iv.data = iv;
}
/*
* Encrypt the value.
*/
{
const unsigned block_size = gnutls_cipher_get_block_size(
data->encryption_algorithm);
const unsigned tag_size = gnutls_cipher_get_tag_size(
data->encryption_algorithm);
const size_t ed_size = round_to_block_size(
block_size,
sizeof(struct PlaintextSecret) + val.length);
const size_t en_size = ed_size + tag_size;
uint8_t *ct = talloc_zero_size(frame, en_size);
size_t el = en_size;
if (ct == NULL) {
ldb_set_errstring(ldb,
"Out of memory allocation cipher "
"text\n");
goto error_exit_handle;
}
rc = gnutls_aead_cipher_encrypt(
cipher_hnd,
es->iv.data,
es->iv.length,
&es->header,
sizeof(struct EncryptedSecretHeader),
tag_size,
pt.data,
pt.length,
ct,
&el);
if (rc !=0) {
ldb_asprintf_errstring(ldb,
"gnutls_aead_cipher_encrypt '"
"failed %s - %s\n",
gnutls_strerror_name(rc),
gnutls_strerror(rc));
*err = LDB_ERR_OPERATIONS_ERROR;
return data_blob_null;
}
es->encrypted.length = el;
es->encrypted.data = ct;
gnutls_aead_cipher_deinit(cipher_hnd);
}
rc = ndr_push_struct_blob(&enc,
ctx,
es,
(ndr_push_flags_fn_t)
ndr_push_EncryptedSecret);
if (!NDR_ERR_CODE_IS_SUCCESS(rc)) {
ldb_set_errstring(ldb,
"Unable to ndr push EncryptedSecret\n");
goto error_exit;
}
TALLOC_FREE(frame);
return enc;
error_exit_handle:
gnutls_aead_cipher_deinit(cipher_hnd);
error_exit:
*err = LDB_ERR_OPERATIONS_ERROR;
TALLOC_FREE(frame);
return data_blob_null;
}
/*
* @brief Decrypt data encrypted using an aead algorithm.
*
* Decrypt the data in ed and insert it into ev. The data was encrypted
* with one of the gnutls aead compatable algorithms.
*
* @param err Pointer to an error code, set to:
* LDB_SUCESS If the value was successfully decrypted
* LDB_ERR_OPERATIONS_ERROR If there was an error.
*
* @param ctx The talloc context that will own the PlaintextSecret
* @param ldb ldb context, to allow logging.
* @param ev The value to be updated with the decrypted data.
* @param ed The data to decrypt.
* @param data The context data for this module.
*
* @return ev is updated with the unencrypted data.
*/
static void gnutls_decrypt_aead(int *err,
TALLOC_CTX *ctx,
struct ldb_context *ldb,
struct EncryptedSecret *es,
struct PlaintextSecret *ps,
const struct es_data *data)
{
gnutls_aead_cipher_hd_t cipher_hnd;
DATA_BLOB pt = data_blob_null;
const unsigned tag_size =
gnutls_cipher_get_tag_size(es->header.algorithm);
int rc;
/*
* Get the encryption key and initialise the encryption handle
*/
{
gnutls_datum_t cipher_key;
DATA_BLOB key_blob;
const int algorithm = gnutls_get_algorithm(ldb, es);
const size_t key_size = gnutls_cipher_get_key_size(algorithm);
key_blob = get_key(data);
if (algorithm == 0) {
goto error_exit;
}
if (key_blob.length != key_size) {
ldb_asprintf_errstring(ldb,
"Invalid EncryptedSecrets key "
"size, expected %zu bytes and "
"it is %zu bytes\n",
key_size,
key_blob.length);
goto error_exit;
}
cipher_key = convert_from_data_blob(key_blob);
rc = gnutls_aead_cipher_init(
&cipher_hnd,
algorithm,
&cipher_key);
if (rc != 0) {
ldb_asprintf_errstring(ldb,
"gnutls_aead_cipher_init failed "
"%s - %s\n",
gnutls_strerror_name(rc),
gnutls_strerror(rc));
goto error_exit;
}
}
/*
* Decrypt and validate the encrypted value
*/
pt.length = es->encrypted.length;
pt.data = talloc_zero_size(ctx, es->encrypted.length);
if (pt.data == NULL) {
ldb_set_errstring(ldb,
"Out of memory allocating plain text\n");
goto error_exit_handle;
}
rc = gnutls_aead_cipher_decrypt(cipher_hnd,
es->iv.data,
es->iv.length,
&es->header,
sizeof(struct EncryptedSecretHeader),
tag_size,
es->encrypted.data,
es->encrypted.length,
pt.data,
&pt.length);
if (rc != 0) {
/*
* Typically this will indicate that the data has been
* corrupted i.e. the tag comparison has failed.
* At the moment gnutls does not provide a separate
* error code to indicate this
*/
ldb_asprintf_errstring(ldb,
"gnutls_aead_cipher_decrypt failed "
"%s - %s. Data possibly corrupted or "
"altered\n",
gnutls_strerror_name(rc),
gnutls_strerror(rc));
goto error_exit_handle;
}
gnutls_aead_cipher_deinit(cipher_hnd);
rc = ndr_pull_struct_blob(&pt,
ctx,
ps,
(ndr_pull_flags_fn_t)
ndr_pull_PlaintextSecret);
if(!NDR_ERR_CODE_IS_SUCCESS(rc)) {
ldb_asprintf_errstring(ldb,
"Error(%d) unpacking decrypted data, "
"data possibly corrupted or altered\n",
rc);
goto error_exit;
}
return;
error_exit_handle:
gnutls_aead_cipher_deinit(cipher_hnd);
error_exit:
*err = LDB_ERR_OPERATIONS_ERROR;
return;
}
static void cipher_mac_bench(int algo, int mac_algo, int size)
{
int ret;
gnutls_cipher_hd_t ctx;
gnutls_hmac_hd_t mac_ctx;
void *_key, *_iv;
gnutls_datum_t key, iv;
int ivsize = gnutls_cipher_get_iv_size(algo);
int keysize = gnutls_cipher_get_key_size(algo);
int step = size * 1024;
struct benchmark_st st;
void *output, *input;
unsigned char c, *i;
_key = malloc(keysize);
if (_key == NULL)
return;
memset(_key, 0xf0, keysize);
_iv = malloc(ivsize);
if (_iv == NULL) {
free(_key);
return;
}
memset(_iv, 0xf0, ivsize);
iv.data = _iv;
iv.size = ivsize;
key.data = _key;
key.size = keysize;
assert(gnutls_rnd(GNUTLS_RND_NONCE, &c, 1) >= 0);
printf("%19s-%s ", gnutls_cipher_get_name(algo),
gnutls_mac_get_name(mac_algo));
fflush(stdout);
ALLOCM(input, MAX_MEM);
ALLOC(output);
i = input;
start_benchmark(&st);
ret = gnutls_hmac_init(&mac_ctx, mac_algo, key.data, key.size);
if (ret < 0) {
fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
goto leave;
}
ret = gnutls_cipher_init(&ctx, algo, &key, &iv);
if (ret < 0) {
fprintf(stderr, "error: %s\n", gnutls_strerror(ret));
goto leave;
}
do {
gnutls_hmac(mac_ctx, i, step);
gnutls_cipher_encrypt2(ctx, i, step, output, step + 64);
st.size += step;
INC(input, i, step);
}
while (benchmark_must_finish == 0);
gnutls_cipher_deinit(ctx);
gnutls_hmac_deinit(mac_ctx, NULL);
stop_benchmark(&st, NULL, 1);
leave:
FREE(input);
FREE(output);
free(_key);
free(_iv);
}
/* Generate client key exchange message
*
*
* struct {
* select (KeyExchangeAlgorithm) {
* uint8_t psk_identity<0..2^16-1>;
* EncryptedPreMasterSecret;
* } exchange_keys;
* } ClientKeyExchange;
*/
static int
_gnutls_gen_rsa_psk_client_kx(gnutls_session_t session,
gnutls_buffer_st * data)
{
cert_auth_info_t auth = session->key.auth_info;
gnutls_datum_t sdata; /* data to send */
gnutls_pk_params_st params;
gnutls_psk_client_credentials_t cred;
gnutls_datum_t username, key;
int ret, free;
unsigned init_pos;
if (auth == NULL) {
/* this shouldn't have happened. The proc_certificate
* function should have detected that.
*/
gnutls_assert();
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
}
gnutls_datum_t premaster_secret;
premaster_secret.size = GNUTLS_MASTER_SIZE;
premaster_secret.data =
gnutls_malloc(premaster_secret.size);
if (premaster_secret.data == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
/* Generate random */
ret = gnutls_rnd(GNUTLS_RND_RANDOM, premaster_secret.data,
premaster_secret.size);
if (ret < 0) {
gnutls_assert();
return ret;
}
/* Set version */
if (session->internals.rsa_pms_version[0] == 0) {
premaster_secret.data[0] =
_gnutls_get_adv_version_major(session);
premaster_secret.data[1] =
_gnutls_get_adv_version_minor(session);
} else { /* use the version provided */
premaster_secret.data[0] =
session->internals.rsa_pms_version[0];
premaster_secret.data[1] =
session->internals.rsa_pms_version[1];
}
/* move RSA parameters to key (session).
*/
if ((ret = _gnutls_get_public_rsa_params(session, ¶ms)) < 0) {
gnutls_assert();
return ret;
}
/* Encrypt premaster secret */
if ((ret =
_gnutls_pk_encrypt(GNUTLS_PK_RSA, &sdata, &premaster_secret,
¶ms)) < 0) {
gnutls_assert();
return ret;
}
gnutls_pk_params_release(¶ms);
cred = (gnutls_psk_client_credentials_t)
_gnutls_get_cred(session, GNUTLS_CRD_PSK);
if (cred == NULL) {
gnutls_assert();
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
}
ret = _gnutls_find_psk_key(session, cred, &username, &key, &free);
if (ret < 0)
return gnutls_assert_val(ret);
/* Here we set the PSK key */
ret = set_rsa_psk_session_key(session, &key, &premaster_secret);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
/* Create message for client key exchange
*
* struct {
* uint8_t psk_identity<0..2^16-1>;
* EncryptedPreMasterSecret;
* }
*/
init_pos = data->length;
/* Write psk_identity and EncryptedPreMasterSecret into data stream
*/
ret =
_gnutls_buffer_append_data_prefix(data, 16,
username.data,
username.size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
_gnutls_buffer_append_data_prefix(data, 16, sdata.data,
sdata.size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = data->length - init_pos;
cleanup:
_gnutls_free_datum(&sdata);
_gnutls_free_temp_key_datum(&premaster_secret);
if (free) {
_gnutls_free_temp_key_datum(&key);
gnutls_free(username.data);
}
return ret;
}
/**
* infd_acl_account_info_set_password:
* @info: A #InfdAclAccountInfo.
* @password: The new password for the account, or %NULL.
* @error: Location to store error information, if any.
*
* Changes the password for the given account. If @password is %NULL the
* password is unset, which means that it is not possible to log into this
* account with password authentication.
*
* If @password is non-%NULL, a new random salt is generated and a SHA256
* hash of the salt and the password is stored.
*
* If an error occurs while changing the password the functions set @error
* and returns %FALSE.
*
* Returns: %TRUE in case of success or %FALSE otherwise.
*/
gboolean
infd_acl_account_info_set_password(InfdAclAccountInfo* info,
const gchar* password,
GError** error)
{
gchar* new_salt;
gchar* new_hash;
gchar* salted_password;
guint password_len;
int res;
g_return_val_if_fail(info != NULL, FALSE);
if(password == NULL)
{
g_free(info->password_salt);
g_free(info->password_hash);
info->password_salt = NULL;
info->password_hash = NULL;
}
else
{
new_salt = g_malloc(32);
res = gnutls_rnd(GNUTLS_RND_RANDOM, new_salt, 32);
if(res != GNUTLS_E_SUCCESS)
{
g_free(new_salt);
inf_gnutls_set_error(error, res);
return FALSE;
}
password_len = strlen(password);
salted_password = g_malloc(32 + password_len);
memcpy(salted_password, new_salt, 16);
memcpy(salted_password + 16, password, password_len);
memcpy(salted_password + 16 + password_len, new_salt + 16, 16);
new_hash = g_malloc(gnutls_hash_get_len(GNUTLS_DIG_SHA256));
res = gnutls_hash_fast(
GNUTLS_DIG_SHA256,
salted_password,
32 + password_len,
new_hash
);
g_free(salted_password);
if(res != GNUTLS_E_SUCCESS)
{
g_free(new_hash);
g_free(new_salt);
inf_gnutls_set_error(error, res);
return FALSE;
}
g_free(info->password_salt);
g_free(info->password_hash);
info->password_salt = new_salt;
info->password_hash = new_hash;
}
return TRUE;
}
/*
Process the client key exchange message
*/
static int
_gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
size_t _data_size)
{
gnutls_datum_t username;
psk_auth_info_t info;
gnutls_datum_t plaintext;
gnutls_datum_t ciphertext;
gnutls_datum_t pwd_psk = { NULL, 0 };
int ret, dsize;
int randomize_key = 0;
ssize_t data_size = _data_size;
gnutls_psk_server_credentials_t cred;
gnutls_datum_t premaster_secret = { NULL, 0 };
cred = (gnutls_psk_server_credentials_t)
_gnutls_get_cred(session, GNUTLS_CRD_PSK);
if (cred == NULL) {
gnutls_assert();
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
}
ret = _gnutls_auth_info_init(session, GNUTLS_CRD_PSK,
sizeof(psk_auth_info_st), 1);
if (ret < 0) {
gnutls_assert();
return ret;
}
/*** 1. Extract user psk_identity ***/
DECR_LEN(data_size, 2);
username.size = _gnutls_read_uint16(&data[0]);
DECR_LEN(data_size, username.size);
username.data = &data[2];
/* copy the username to the auth info structures
*/
info = _gnutls_get_auth_info(session, GNUTLS_CRD_PSK);
if (info == NULL) {
gnutls_assert();
return GNUTLS_E_INTERNAL_ERROR;
}
if (username.size > MAX_USERNAME_SIZE) {
gnutls_assert();
return GNUTLS_E_ILLEGAL_SRP_USERNAME;
}
memcpy(info->username, username.data, username.size);
info->username[username.size] = 0;
/* Adjust data so it points to EncryptedPreMasterSecret */
data += username.size + 2;
/*** 2. Decrypt and extract EncryptedPreMasterSecret ***/
DECR_LEN(data_size, 2);
ciphertext.data = &data[2];
dsize = _gnutls_read_uint16(data);
if (dsize != data_size) {
gnutls_assert();
return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
}
ciphertext.size = dsize;
ret =
gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
&ciphertext, &plaintext);
if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
/* In case decryption fails then don't inform
* the peer. Just use a random key. (in order to avoid
* attack against pkcs-1 formatting).
*/
gnutls_assert();
_gnutls_debug_log
("auth_rsa_psk: Possible PKCS #1 format attack\n");
if (ret >= 0) {
gnutls_free(plaintext.data);
}
randomize_key = 1;
} else {
/* If the secret was properly formatted, then
* check the version number.
*/
if (_gnutls_get_adv_version_major(session) !=
plaintext.data[0]
|| (session->internals.allow_wrong_pms == 0
&& _gnutls_get_adv_version_minor(session) !=
plaintext.data[1])) {
/* No error is returned here, if the version number check
* fails. We proceed normally.
* That is to defend against the attack described in the paper
* "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
* Ondej Pokorny and Tomas Rosa.
*/
gnutls_assert();
_gnutls_debug_log
("auth_rsa: Possible PKCS #1 version check format attack\n");
}
}
if (randomize_key != 0) {
premaster_secret.size = GNUTLS_MASTER_SIZE;
premaster_secret.data =
gnutls_malloc(premaster_secret.size);
if (premaster_secret.data == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
/* we do not need strong random numbers here.
*/
ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
premaster_secret.size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
} else {
premaster_secret.data = plaintext.data;
premaster_secret.size = plaintext.size;
}
/* This is here to avoid the version check attack
* discussed above.
*/
premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
/* find the key of this username
*/
ret =
_gnutls_psk_pwd_find_entry(session, info->username, &pwd_psk);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = 0;
cleanup:
_gnutls_free_key_datum(&pwd_psk);
_gnutls_free_temp_key_datum(&premaster_secret);
return ret;
}
